Utah built the lightest-touch privacy law in the United States. The Utah Consumer Privacy Act (UCPA) took effect on December 31, 2023, and on nearly every axis that matters for cookies it asks less of you than Colorado, Connecticut, or Texas do. No universal opt-out mandate. No opt-in consent for sensitive data. A high revenue gate that keeps most small and mid-size companies out of scope entirely. If you comply with a stricter state, you almost certainly already comply with Utah.
Does the UCPA reach cookies?
The UCPA regulates personal data linked or reasonably linkable to an identifiable individual, so advertising cookies and device identifiers count when they build a profile. Functional-only cookies generally sit outside.
The triggering activities are sale and targeted advertising. Like Virginia and Iowa, Utah defines a sale narrowly, as an exchange for monetary consideration only, so sharing data for non-monetary value may not be a sale here (though it can still be targeted advertising, which residents can opt out of).
The consent model: opt-out, no signal mandate
Utah uses an opt-out model. You may set analytics and advertising cookies by default, as long as you give residents a clear way to opt out of targeted advertising and sale, and honor it.
Utah does not require honoring a universal opt-out mechanism. A Utahn's GPC signal doesn't automatically bind you under the UCPA the way it does in Colorado. A manual opt-out control is enough. As with Virginia, honoring GPC anyway is the pragmatic move, since it covers the states that require it and spares you per-state banner logic.
Sensitive data: notice and opt-out, not opt-in
This is the biggest gap from the Colorado line. Most states make you get opt-in consent before processing sensitive data. Utah asks only that you provide clear notice and an opportunity to opt out before processing it. So a tracker touching precise geolocation, health information, or the other sensitive categories can run by default in Utah, provided you've disclosed it and offered a way out. (For a known child under 13, you still follow COPPA.) That's a materially lighter obligation, and it's why a single opt-in setup built for stricter states will over-comply in Utah, which is fine.
The monetary-sale definition in practice
Utah's narrow definition of a sale (monetary consideration only) has a real effect. Handing advertising identifiers to a partner in exchange for analytics or audience matching, with no money changing hands, may fall outside Utah's sale right, though it's usually still targeted advertising a resident can opt out of. Don't lean too hard on this. The distinction is thinner than it looks, it shifts with how a deal is structured, and it disappears entirely in states like Colorado that count non-monetary value as a sale. Treating any external identifier sharing as opt-out-eligible is the simpler and safer default.
Who's covered
Utah's thresholds knock out most companies. The UCPA applies only to businesses with $25 million or more in annual revenue that also either process the data of 100,000 or more consumers in a year, or derive over 50 percent of gross revenue from selling personal data while processing the data of 25,000 or more consumers. The revenue floor is a hard gate: under $25 million and the UCPA doesn't apply at all, no matter how much data you handle. That single line exempts the vast majority of small and mid-size sites.
What Utah leaves out
Utah's law is defined as much by what it skips as by what it requires. There's no data protection assessment obligation, the kind Colorado and Virginia impose before high-risk processing like targeted advertising. There's no right to correct inaccurate data. And there's no profiling opt-out. For a business already compliant elsewhere, none of this changes your build, since you'll over-comply by default. But it explains why Utah rarely drives new engineering work: a setup that satisfies Colorado or Virginia clears Utah with room to spare. The one Utah-specific decision is whether to run notice-and-opt-out for sensitive data (matching Utah exactly) or opt-in (matching every stricter state at once).
Penalties and enforcement
Utah splits enforcement. The Division of Consumer Protection (within the Department of Commerce) investigates complaints, and the Attorney General brings the action. There's a 30-day cure period that doesn't sunset, and if a violation isn't fixed, penalties reach up to $7,500 per violation, plus recovery of actual damages to consumers. The two-office structure and permanent cure window make Utah among the least aggressive privacy regimes, but the law is still enforceable.
A practical setup for Utah traffic
- Check the revenue gate first. Under $25 million and you're likely out of scope for Utah entirely.
- If covered, publish an opt-out for sale and targeted advertising.
- Give notice and an opt-out for sensitive data. Opt-in isn't required, but the notice and the opt-out are.
- Honor GPC anyway, to cover the stricter states your traffic includes.
- Keep a privacy notice that discloses your processing and sensitive-data use.
How CookieBeam handles Utah
CookieBeam's US opt-out states preset serves the UCPA opt-out model, with a "Your Opt-Out Rights" control for sale and targeted advertising. GPC honoring is default-on in the runtime; Utah doesn't require it, so this is you being stricter than the law demands, which keeps your logic uniform across states. For sensitive data you can run notice-and-opt-out to match Utah exactly, or opt-in to satisfy every state at once. The regional consent engine serves opt-out to Utah and opt-in to the EU from a single banner. Confirm the current UCPA text before finalizing.
Related guides
See universal opt-out mechanisms across US state laws, sensitive data consent under US state laws, and the complete guide to US state privacy laws. Primary source: the Utah Division of Consumer Protection UCPA page.